The Lawyer and the Fool: Musings on Security

Chris Mark, ProPay
Recently I spoke at an InfraGard event in Salt Lake City about data breaches and how companies should protect their systems. Having been involved with a large number of data breaches (after the fact) I am frequently taken aback by companies who don’t believe that they are truly at risk of compromise or believe that they can singlehandedly keep the proverbial wolves away from the door. My presentation was mentioned in the Salt Lake Tribune and as I was reading through the comments, I saw one person
who confidently stated:
“It’s incredibly easy to keep your data safe if you’re using a computer to do your own transactions. Your computer has built in protections if you know how to properly use them. “
My reaction was “are you kidding me?” In fact, it is very difficult to protect data that resides on your own systems. This is especially true for small merchants and is demonstrated by the numerous data breaches that are identified on a weekly basis. This person is suggesting that the “ computer has built in protections” which are sufficient to protect against attacks. While systems do have some controls, they should be used in a larger strategy employing defense in depth.

In another example, I was working with a security vendor evaluating their security and I made some observations about the network architecture and how I felt they may be exposed to some risk because of a particular characteristic of their network. When I brought this up to their network engineer his response was simply to say: “If they want to try to hack into my systems I say..bring it!” As can be imagined, he ignored my observations.
While nobody likely wants to be a victim or wants to admit that they need specific expertise there are some areas in life where expertise helps. Most of us go to a doctor when we are sick. We take our cars to a trained mechanic when it is broken, we hire accountants to help us with taxes, and we hire lawyers when we need legal advice. I am frequently amazed that some people with little or no real knowledge of information security will make flippant statements about the threats and attempt to manage their
security without knowledgeable help. There is an old adage that says: “A lawyer that represents himself has a fool for a client.” In much the same way a person without the necessary expertise that attempts to manage their own security is facing an uphill battle. For those looking for help in information security a little education goes a long way.
Here are some great resources: Sans Institute: www.sans.org; Center
for Internet Security: www.cisecurity.com; Microsoft Security Center: www.microsoft.com/security
For those looking for consultants or experts to help with payment card (credit, debit, charge) security a good resource is the Payment Card Industry Security Standards Council. You can review a list of approved vendors. www.paymentsecuritystandards.org